Changing the TMSADM password

The purpose of this document is to describe the steps to be done when the password restrictions are preventing STMS from functioning. This document describes the notes to be applied and the execution of report TMS_UPDATE_PWD_OF_TMSADM.

Before proceeding further with TMSADM please ensure that all related notes at the end of this document have been reviewed and/or applied to your system(s) if relevant.

Changing the TMSADM password

The password restrictions are preventing STMS from functioning. Some password restrictions that affect the TMS user TMSADM:

You can also run in SE38 reports RSPFPAR and RSPARAM to get information about the parameters.

Also check parameter login/password_downwards_compatibility, make sure it is set to ‘1’ in all systems. if it is set to ‘5’, it means “compatible to old release” and this forbids lowercase characters.

The user TMSADM was already reset and the RFC’s were generated in STMS:

According to SAP note 1568362 – TMSADM password change, there are two ways of solving this problem. One is to execute some manual steps (as of release 7.3, table TMSCROUTE is not involved in the TMSADM change password configuration.) and the other one is if there is a large landscape, there are some notes to be applied and you should run a report. In this example, we will go with the second option:

2. Make sure the user TMSADM is not locked in all the systems of the landscape:

3. Run report TMS_UPDATE_PWD_OF_TMSADM which must be run in the DC (domain controller) client 000.

TMS_UPDATE_PWD_OF_TMSADM has three different options:

1. Own Password as in System Settings
With this option the customer will select his own created password for TMSADM user. When choosing this option, the following fields are available:
– Password
– Confirm Password
It must be used by the customer to enter the password they want for TMSADM user.

2. New Standard Password (see SAP Note 761637)
With this option the program will automatically set “New Default Password” for TMSADM;

3. Old Standard Password
Finally, this option will set the “Old Default Password” for TMSADM user.

The “Old Default Password” is the password that SAP defined for TMSADM user long time ago and it has been used for years by our customers. That password only contains letters. But if a customer sets stringent password rules in a system (for example the password must contain at least one digit, or special characters), user TMSADM is affected by those restrictions. Therefore, SAP has created a “New Default Password” that complies with the general password restrictions that are set in a system. This new password contains uppercase and lowercase letters, digits and special characters.

For security reasons, the TMSADM default password is no longer allowed to be provided. For this reason, the options for this have been removed.

As such when you run Report TMS_UPDATE_PWD_OF_TMSADM you will only get the option to define your own TMSADM password. The same is true when joining a system to the domain or creating a domain link.

The results of its execution:

3. Should domain links exist then use SAP note 1515926. The note should be applied to all systems of the connected domains. Once the note is applied start the report that is described in Note 1414256 on all of the domain controllers of the connected domains. That means executing TMS_UPDATE_PWD_OF_TMSADM in client 000 on all domain controllers.

When domain links are involved TMS_UPDATE_PWD_OF_TMSADM is more complex.

This allows systems in DOMAIN_A to communicate with systems in DOMAIN_B.

As a result when you update the password for user TMSADM in DOMAIN_A (by running TMS_UPDATE_PWD_OF_TMSADM) it will also update
RFCs TMSADM@*.DOMAIN_A in DOMAIN_B (when note 1515926 is implemented to all systems in both domains).

The same happens when you update the user password for TMSADM in DOMAIN_B (by running TMS_UPDATE_PWD_OF_TMSADM). The report will update RFCs TMSADM@*.DOMAIN_B in DOMAIN_A.

As a result communication between the two domains will remain. If note 1515926 were not applied to all systems of both domains and you ran the report TMS_UPDATE_PWD_OF_TMSADM from one or both domain controllers then communication between DOMAIN_A and DOMAIN_B is no longer possible . This is the result of the user TMSADM locking due to too many failed logon attempts with the wrong TMSADM password.

It is important to check (via RZ11) parameter login/password_downwards_compatibility.

As of Basis release (SAP_BASIS) 7.0, the system supports logon with passwords that can consist of up to 40 characters (previously: 8), and for which the system differentiates between upper- and lower-case (previously: system automatically converted to upper-case). All Unicode characters are also supported.

Unfortunately, this change is not backward compatible. The passwords are stored as backward incompatible hash values. If this system is operated with other systems, which only support
backward compatible password hash values, the system must react appropriately.

1 : System also generates backward compatible password hash
values internally, but does not evaluate these for logons
(to this system) using a password; this setting is required
if this system is the central system of a Central User
Administration and systems that only support backward
compatible password hash values are also connected to the
system group.

2: The system also generates backward compatible password hash
values internally and evaluates these if a logon using a
backward incompatible password failed, to check whether logo
with the backward compatible password (truncated after eight
characters and converted to upper-case) would have been
accepted. This is logged in the system log; the logon
fails. (Identification of backward incompatibility problems).

3 : As with 2; however, the logon is regarded as successful.
(Avoidance of backward incompatibility problems).

4 : As with 3, but no system log entry is written.

5 : System only issues backward compatible password hash values.

login/password_downwards_compatibility = 5 will not work with TMSADM using “new standard” password as this means that only downward compatible passwords are allowed, which are in uppercase and max. 8 characters long.

FINALLY :

There is now the addition of new destinations in TMS_UPDATE_PWD_OF_TMSADM because in large systems using the above report is a complex matter.

The TMSADM update report requires an RFC connection for each system in the landscape and if you have a very large landscape it means logging onto alot of systems. Previously, there was no option to use trusted RFC for this. As a result note # 1801805 was created. Please implement the correction instructions in the domain controller (remember if the domain controller changes, the note must be implemented there too) and follow the manual instructions in the note.

5 Comments

Can you please let me know how to change the password for Netweaver 740.

I understand we have to run the report TMS_UPDATE_PWD_OF_TMSADM, but in the destination field when I enter the RFC destination TMSADM@SID.DOMAIN_SID & TMSSUP@SID.DOMAIN_SID I get the pop-up Destination pattern must contain SID and domain, please help me know how to key in the Destination field.

We just can run the report TMS_UPDATE_PWD_OF_TMSADM with the default destination and password will be updated through the domain?Also should we use the same password for TMSADM throghout the landscape D, Q and P?

Note # 1801805 is a nice feature if you have a very large landscape as it means you do not have to logon to each system in the domain when you run the report because trusted RFCs can be used. Setting up the trusted RFCs as per the note is a little difficult and only worth the effort if the landscape is very large. For a 3 system landscape it is not worth the effort. You run the report from the domain controller and the password you pick (if you pick your own) will be the same password for all systems in that domain. Alternatively you can choose the new standard password option which contains a mixture of uppercase, lowercase, digits and special characters that suit most customer’s password rules.